Hi Edward,
Kenworthy, Edward wrote:
> Having to respond to you via Toby's response as for some reason my reader
> claims your original post has funny chars in it and won't show it properly !
Sorry, that is probably due to KOI-8 Russian encoding that I use by
default.
>> > 2) it is allowed that security-manager is set, but
>> > role-mapping-manager is not set (now this is not allowed).
> Nope. Bad idea. I think the role-mapping-manager should be mandatory.
Why? I don't want to use EJB role mapping, our application has
proprietary authorization rules that cannot be implemented via EJB
security.
>> > In this case:
>> > a) throw illegal access exception iff the set of roles for the
>> > given method is non-empty,
>> > b) isCallerInRole() always returns false
> Possibly you might provide a default role-mapping-manager that does this. I
> think this is the neatest way to achieve what you are trying without coding
> any special-case code into jBoss (IF <no role-mapping-manager> do this ELSE
> do that).
Do you care about coding or about user convenience?
I care about the latter.
Code is already written, quite clear, nothing complicated.
Oleg
> -----Original Message-----
> From: Toby Allsopp [mailto:[EMAIL PROTECTED]]
> Sent: 20 December 2000 00:09
> To: jBoss Developer
> Subject: Re: [jBoss-Dev] Optional Security
> Makes a lot of sense to me. The trick is to make bad suggestions so that
> people have to convince you of the error of your ways. Then, after
> putting up a small fight, you make the good suggestion and then
> everybody's happy. Or, you could just continue making good suggestions
> and save everybody some time :-)
> Toby.
> Oleg Nitz wrote:
>>
>> Hey!
>>
>> Is there anybody out there?
>> No objections, no comments, so I'll do the proposed change.
>> Any objections or comments now?
>> :-)
>>
>> Oleg
>>
>> On Tuesday 19 December 2000 02:08, Oleg Nitz wrote:
>> > Hi All,
>> >
>> > Now JBoss security is optional in the following sense:
>> > if client doesn't set Principal, authentication is not performed.
>> > I don't see good reasons for this strange rule.
>> > Does anybody see?
>> > I propose the following rules:
>> > 1) authentication is performed iff the security-manager is set for
>> > the given bean.
>> > 2) it is allowed that security-manager is set, but
>> > role-mapping-manager is not set (now this is not allowed).
>> > In this case:
>> > a) throw illegal access exception iff the set of roles for the
>> > given method is non-empty,
>> > b) isCallerInRole() always returns false
>> >
>> > Any objections or comments?
>> >
>> > Regards,
>> > Oleg
